Even though the majority of data breaches continue to be the result of financially motivated cybercriminal attacks, cyberespionage activities are also responsible for a significant number of data theft incidents, according to a report that will be released Tuesday by Verizon.

Verizon’s 2013 Data Breach Investigations Report (DBIR) covers data breaches investigated during 2012 by the company’s RISK Team and 18 other organizations from around the globe, including national computer emergency response teams (CERTs) and law enforcement agencies. The report compiles information from over 47,000 security incidents and 621 confirmed data breaches that resulted in at least 44 million compromised records.

In addition to including the largest number of sources to date, the report is also Verizon’s first to contain information on breaches resulting from state-affiliated cyberespionage attacks. This kind of attack targets intellectual property and accounted for 20 percent of the data breaches covered by the report.

Beyond China

In over 95 percent of cases the cyberespionage attacks originated from China, said Jay Jacobs, a senior analyst with the Verizon RISK team. The team tried to be very thorough regarding attribution and used different known indicators that linked the techniques and malware used in those breaches back to known Chinese hacker groups, he said.

However, it would be naive to assume that cyberespionage attacks only come from China, Jacobs said. “It just so happens that the data we were able to collect for 2012 reflected more Chinese actors than from anywhere else.”

The more interesting aspects of these attacks were the types of tactics used, as well as the size and industry of the targeted organizations, the analyst said.

“Typically what we see in our data set are financially motivated breaches, so the targets usually include retail organizations, restaurants, food-service-type firms, banks and financial institutions,” Jacobs said. “When we looked at the espionage cases, those industries suddenly dropped down to the bottom of the list and we saw mostly targets with a large amount of intellectual property like organizations from the manufacturing and professional services industries, computer and engineering consultancies, and so on.”

A surprising finding was the almost fifty-fifty split between the number of large organizations and small organizations that experienced breaches related to cyberespionage, the analyst said.

“When we thought of espionage, we thought of big companies and the large amount of intellectual property they have, but there were many small organizations targeted with the exact same tactics,” Jacobs said.

There is a lot of intelligence-gathering involved in the selection of targets by these espionage groups, Jacobs said. “We think that they pick the small organizations because of their affiliation or work with larger organizations.”

In comparison to cyberespionage, financially motivated cybercrime was responsible for 75 percent of data breach incidents covered in the report and hacktivists were behind the remaining 5 percent.

Questions about passwords

One noteworthy finding of this report is that all threat actors are targeting valid credentials, Jacobs said. In four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network, he said.

This will hopefully start to raise some questions about the widespread reliance on single-factor password-based authentication, Jacobs said. “I think if we switch to two-factor authentication and stop being so reliant on passwords, we might see a decrease in the number of these attacks or at least force the attackers to change” some of their techniques.

Fifty-two percent of data breach incidents involved hacking techniques, 40 percent involved the use of malware, 35 percent the use of physical attacks—for example ATM skimming—and 29 percent the use of social tactics like phishing.

The number of breaches that involved phishing was four times higher in 2012 compared to the previous year, which is probably the result of this technique being commonly used in targeted espionage campaigns.

Despite all the attention given to mobile threats during the past year, only a very small number of breaches covered by the Verizon report involved the use of mobile devices.

“For the most part, we are not seeing breaches leverage mobile devices as of yet,” Jacobs said. “That’s a pretty interesting finding that’s kind of counter-intuitive in light of all the headlines saying how insecure mobile devices are. That’s not to say they’re not vulnerable, but the attackers currently have other easier methods to get the data.”

The same holds true for cloud technologies, Jacobs said. While there have been some breaches involving systems that are hosted in the cloud, they were not the result of attacks exploiting cloud technologies, he said. “If your site is vulnerable to SQL injection, it doesn’t matter where it’s hosted—in the cloud or locally. The kind of breaches we’re seeing would occur regardless of whether the system would be in the cloud or not.”

The Verizon report includes a list of 20 critical security controls that should be implemented by companies and which are mapped to the most prevalent threat actions identified in the analyzed dataset. However, the level to which every company should implement each control depends on the industry they’re part of and the type of attacks they’re likely to be more exposed to.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.